CVE-2021-40540

moderate-risk
Published 2021-09-07

ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info initialization and a con_info->request NULL check for certain malformed HTTP requests.

Do I need to act?

~
2.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 845a5f471b0f2d2578b0997f531e503d31fda2ae, c83f564c184a27145e07c274b305cabe943bbfaa
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Ulfius

Affected Vendors

Ulfius Project

References (6)

Exploit http://packetstormsecurity.com/files/164152/Ulfius-Web-Framework-Remote-Memory-C...
Patch https://github.com/babelouest/ulfius/commit/c83f564c184a27145e07c274b305cabe943b...
Patch https://github.com/babelouest/ulfius/compare/v2.7.3...v2.7.4
Exploit http://packetstormsecurity.com/files/164152/Ulfius-Web-Framework-Remote-Memory-C...
Patch https://github.com/babelouest/ulfius/commit/c83f564c184a27145e07c274b305cabe943b...
Patch https://github.com/babelouest/ulfius/compare/v2.7.3...v2.7.4
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal